This page contains a list of some of the larger, more note-worthy feature changes to BoKS throughout the 7.x versions. It is not a complete list. For more complete and detailed information, please see the Release Notes and Administration Guide for a specific version.
New Audit Logging Infrastructure
A completely new audit log server and logging infrastructure has been implemented to make logging more efficient and extensible. The implementation is based on the syslog standard. The program logadm has been replaced by bokslogadm and the program bkslog has been replaced by bokslogview.
Support is included for relaying logs from BoKS to an external syslog server.
New Format for Unix Groups
Unix groups in BoKS now have the format hostgroup|host:group, meaning that Unix groups are provisioned to the appropriate hosts when they are created. Group provisioning is no longer dependent on user membership before being provisioned.
Keystroke Log Transfer Mechanism
BoKS Manager 7.0 includes functions for direct transfer of keystroke log files from keystroke logged sessions so that if so configured no keystroke log files are stored on the local host. Keystroke log relay servers are installed on all Replicas and the Master.
You can configure per host and Host Group what relay servers are prioritized when keystroke logs are transferred over the network.
You can specify at an Access Routes level how log file transfer is handled and what fallback mechanisms are used, if any.
Keystroke logs now have a unique Log ID (LID) that allows them to be linked to audit log events that are related to the particular keystroke logged session.
Longer Default Key Length for Certificates
Certificates in user and host virtual cards, and CA certificates in BoKS now have a longer default length of 2048 bits for certificates and 4096 bits for CA certificates.
Items Moved to BoKS Database
Host pre-registration data and pre-registration types are now stored in the BoKS database rather than files. This is also the case for time zone information for hosts and the alarmlog label list.
Protocol Logging Now Activated at Install
The audit logging of SSH commands, SCP, SFTP and, on Linux, REXEC commands is activated when you install a new BoKS Master, but can be deactivated if required in the BoKS ENV file.
Host Group and User Class Name Size
The HOSTGROUP and USERCLASS fields in the BoKS database have been extended to 64 characters.
Access Rule Enhancements
The BoKS access control mechanism has been enhanced, with BoKS Access Rules (the new name for Access Routes) managed using a new CLI program, boksrule. Enhancements include:
A new CLI program, boksrule, has been added for management of Access Rules for both users and User Classes. The programs ttyadmin and routeadm are still included and support the new enhancements in this version, however these programs are deprecated and may not be supported in future versions.
User Account Enhancements
The following user account enhancements are included:
Improved User Activity Tracking
The mechanism to determine a user's activity has been re-written. The new method has an 8-hour resolution. This minimizes replication traffic while still providing the ability to determine if an account is active and when it was last used. A user's activity date is updated any time one of the following authentications are successful:
(For methods where fromuser authentication is used, both the to- and from-user accounts are updated.)
suexec - from & to updated su - from & to updated
ssh_sh - user updated ssh_exec - user updated
scp - user updated telnet - user updated
rlogin - user updated rsh - user updated
edit - from & to updated bccas - user updated
lsbks Output Improved
The command "lsbks -a|f" now shows user creation, modification and last activity times by default.
Internal BoKS protocols have been updated to fully support IPv6.
BoKS Password Manager
The BoKS Password Manager product is now integrated into BoKS Manager and FCC. It is no longer an add-on product requiring separate installation and configuration.
Keystroke Logging for BoKS SSH Access
The SSH_SH access method can be configured to be keystroke logged. This enables you to record in forensic detail user activity in interactive SSH sessions. The logging occurs at the tty and is not dependent on the user's shell. Note that this is not supported for SSH rules with chroot specified.
Keystroke Log Encryption Lifecycle Management
Ability to renew the encrypted keystroke logging CA when required.
BoKS Non-Privileged Editor
A new function has been added that allows you to give users access to create, view and edit files on BoKS-protected hosts as another user without having their privileges elevated to the other user. The BoKS non-privileged editor ensures that users cannot escape to a shell as the to-user. Access is controlled using the new EDIT access method, and is run by end-users with the boksedit/boksview program.
BoKS Performance Enhancements
BoKS AD Bridge Enhancements
suexec Noexec Option
A new option for suexec Access Rules, suexec_noexec, can be used to prevent programs started by suexec from running system exec commands and thus executing other programs in turn.
Error Log Improvements
lserrlog output can now be presented on single lines ("lserrlog -m").
Stronger Default Certificates
Certificates created by the BoKS internal CA are now signed with SHA256.
Syslog Relay Improvements
The syslog relay now supports both TCP and UDP protocols.
OpenSSH build version upgraded to OpenSSH v7.3. Added support for SHA512 fingerprints.
Nearly all objects in BoKS can now be renamed, rather than having to be deleted and recreated.
Functional Account Identification
Accounts now have a "functional account" flag. This flag can be set to make it easier to determine which accounts in the database are functional, as opposed to human. The setting can be modified and viewed with mkbks/modbks/lsbks, and through boks_bccasd.
Disable Password Hash Formats
Functionality is added so that any password hash format for user passwords can be allowed/disallowed. You can allow/disallow different sets of hashes for functional and non-functional accounts.
Database Download Performance
Enhancements to database download operations are added with 2 new daemons for improved download speeds.
Host Last Activity
A LASTACTIVITY database field has been added for hosts which is updated once per day if the host is up. BoKS 7.2 Server Agents will make a call once per day if they are up so the field is updated. For older Server Agents the field is updated only if they make calls to servc. The command "hostadm -l -o N" lists hosts with LASTACTIVITY older than N days sorted with the most recent first with hostname and date, one per line. For hosts with no LASTACTIVITY set, it is listed as -. This also shows up in host listing ("hostadm -l") for BoKS hosts.
The command "boksversion -h" can be used to list the hotfixes currently installed on the host.
Other CLI Improvements
For dumpbase, the option -t can now be used to dump multiple tables. The parameter is a comma-separated string of table numbers or names with no spaces allowed. Tables are dumped in the order specified.
A new CLI program has been added for managing external authentication server list, extauthadm. The extauthadm program supersedes ldapauthadm but ldapauthadm is still supported. extauthadm adds support for multiple types of authentication servers. Currently only type "ldap" is used but further server types will be added in future BoKS versions.
Conditional Processing of Client Requests
bridge_servc_r processing is now controlled by an ENV variable. You no longer have to comment servc out of the boksinit scripts in order to prevent serving Server Agent authentication/authorization requests. This is available for the Master and Replicas.
Force Client Update Retry
You can now use the command "boksdiag pushbatch ip-address [ip-address ...]" to force a re-send of batched client updates to given IP addresses instead of waiting for up to 30 minutes for it to happen.
Master/Replica Conversion Improvement
You do not have to enter the nodekey manually if you convert the Master to a Replica.
The root account can now be defined as a role on Solaris hosts.
Most of the common objects in BoKS now have comment fields. Comments are available for hosts, Host Groups, Access Rules, User Classes, UNIX groups, host pre-registration items, password regex rules, and authenticators (per user).
Still have questions? We can help. Submit a case to Technical Support.